| ▲ | asadotzler a day ago | |
That's an exaggeration. Most industry leaders do not require NDAs, only coordinated disclosure. Mozilla's program, which has been around longer than most, doesn't. Google and Microsoft don't. Meta and Apple don't. This is water carrying, intentional or not, for a terrible practice that should be shamed, so that it doesn't become standard. | ||
| ▲ | tptacek a day ago | parent [-] | |
My understanding is that all Bugcrowd bounties do by default. You can shame it all you want, but you can also just publish your bugs directly. Nobody has to use the Bugcrowd platform. You don't even have to wait 45 days; I don't buy these "CERT/CC" rules. | ||